SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

INTERNET STORM CENTER TECH CORNER

NEW Whitepaper - Keeping threats away from your network is a critical first line of defense. A sandbox automatically isolates files to determine if they're safe, providing an instant additional layer of detection and protection. Find out why conventional defenses don't protect you from APT s and how sandboxing can help. Learn More: http://www.sans.org/info/187305

TOP OF THE NEWS

According to a report from the Ponemon Institute, nearly 80 percent of businesses say they do not have sufficient infrastructure or personnel to monitor their networks for and defend their networks against cyberattacks. Only 17 percent say they have established formal, company-wide intelligence gathering processes.

German law enforcement officials investigated control systems at several critical infrastructure organizations in Europe, as well as an apartment building in Israel. They were able to access control systems at a district heating organization in Rome, heat and power plants in Germany and Austria, and a luxury apartment building with smart technology in Israel, at which they were able to disable elevators and alarms, and take control of air conditioning units. Read more in: SC Magazine UK: Critical infrastructure in Europe exposed to hackers -http://www.scmagazineuk.com/critical-infrastructure-in-europe-exposed-to-hackers/article/510017/

UK Rail Cyberattacks (July 12 and 15, 2016)

The UK's railway network was targeted in four cyberattacks over the past year, according to Darktrace, the company responsible for defending a large portion of that network. The intruders did not attempt to cause disruptions; instead, they appear to have conducted network surveillance.

THE REST OF THE WEEK'S NEWS

Ammyy Admin Watering Hole Attack (July 18, 2016)

A group intent on spreading malware managed to hide it in a legitimate administrative tool that allows users to access their computers remotely. A group known as Lurk altered the installer for Ammyy Admin to make it install the malware along with the tool when users downloaded it.

[Editor Comments ]

[Williams ]: If organizations would start requiring installation packages to be signed, this attack vector would be all but dead. Ammy Admin has a reputation as being good to use for free one-time remote access support and attackers know that we'll cut corners on security to save a few dollars. A little security due diligence here will go a long way. Read more in: Ars Technica: Criminals plant banking malware where victims least expect it -http://arstechnica.com/security/2016/07/criminals-plant-banking-malware-where-victims-least-expect-it/

HTTPoxy Man in the Middle and Denial of Service Vulnerability (July 18, 2016)

Researchers released details of a new vulnerability HTTPoxy allowing man in the middle and denial of service for some applications using HTTP. The vulnerability stems from the inappropriate use of the non-standard HTTP header "Proxy" being stored in the environment variable HTTP_PROXY and reused without being checked (a classic case of using untrusted input). System owners are encouraged to block HTTP Proxy headers using a reverse proxy and/or updating server configurations to ignore the Proxy header and not store it in the HTTP_PROXY environment variable. More information can be found here:

A former employee of the St Louis Cardinals baseball team has been sentenced to nearly four years in prison for accessing the Houston Astros' computer network without authorization. Christopher Correa was also ordered to pay nearly US $280,000 in restitution.

Android Trojan Blocks Calls to Banks (July 15, 2016)

A variant of the Android.Fakebank.B Trojan horse program blocks infected devices from calling banks to cancel compromised payment cards. Fakebank is designed to steal online banking account access credentials. The variant has been detected in Russia and South Korea.

[Editor Comments ]

[Williams ]: As telephone networks become increasingly IP controlled, expect to see more of these converged attack vectors where attackers disrupt telephonic communications to perpetuate attacks. Traditionally, we only see attackers target confidentiality of these communications, but here we see availability targeted as well. It makes sense to have out of band communications plans ready, including email and telephone. Read more in: Computerworld: This Android Trojan blocks the victim from alerting banks -http://www.computerworld.com/article/3095891/security/this-android-trojan-blocks-the-victim-from-alerting-banks.html

Two US Senators have written a letter to the Secretary of the Navy, asking that all personnel be trained in celestial navigation. The Navy uses the US Air Force Global Positioning System (GPS) for navigation; that system uses satellite transmissions which are fairly easy to jam and are "susceptible to damage or inaccuracies due to naturally occurring phenomena."

[Editor Comments ]

[Pescatore ] Now, I'm a ham radio operator and Morse code enthusiast so I'm fine with a back to the basics movement. But, in the spirit of the Critical Security Controls and the IAD Top Ten as proven means of focusing security efforts on the highest risk/highest payback areas, I'd rather see the power of our elected officials put to more fruitful use.

[Northcutt ] It is great that the Naval Academy has reinstated training on the use of sextants in navigation. That said, trying to teach all Navy Personnel "CELNAV" is a silly idea. Only a fraction of ships company are going to be in a position to get a sighting of the stars, have access to a high quality time source, or a decent sextant. GPS is generally considered to be accurate to at least 3 meters, CELNAV, depending on who you ask is .5 - 2 nautical miles. The Navy would have to modify fleet formations and port access protocols to account for the change in accuracy. That said, it makes all the sense in the world to put an Astra III or similar on all sea going vessels with trained operators just to have a "second opinion" on position:

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.